There's really no standard practice. It's more a preference determined by the company policy or an administrative policy.
--please don't forget to upvote
and Accept as answer
if the reply is helpful--
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi, thanks for reading.
I'm about to undertaker an install of some metrology software onto a measuring machine.
IT have refused to do it as they don't understand it, but obviously the task needs admin access, which I don't have.
They are however happy to remote on and type their password in when needed.
The question is, is this best practice?
Should they be blindly putting in their password without knowing the process and what it involves?
Is there anything in any standards that cover such things?
To me if a task requires admin access it should be performed by a component administrator.
There's really no standard practice. It's more a preference determined by the company policy or an administrative policy.
--please don't forget to upvote
and Accept as answer
if the reply is helpful--
For the server team that I was on, we would temporarily add your AD account to the Administrators group on the PC/server. Then let you do whatever you needed to do to get the software installed and configured. There was no way that I was going to let you use my AD credentials to do that because that would require that I watch everything that you did. We would then remove your account from the administrators' group when you were done.
I think a lot depends on how many servers and applications your organization has, how much the server team trusts the application team, and how many times the server guys have to rebuild a machine because the app guy was playing with Powershell and deleted almost everything in Windows\System32. (He did it twice before I revoked his access.)
We just didn't have the manpower to install all of the applications on the number of servers we had. On many servers the application team, or a small subset of "guys that we trust", had permanent admin access. It was their app to support and if they messed up, they had to answer to the managers and explain what happened.
As DSPatrick mentioned, it all depends on your organization's policies. Good luck.
Hello @Ian2019831 ingle
Maybe this would be a question for a forum related to cybersecurity or compliance, but I would give my best shot.
My answer would be "depends". First of all, in a perfect world, any software running in the domain/network needs to be approved by IT. To be approved, they would need to understand and test it. And then, they would be able install it. They may still need an experience user to configure it or manage it, but not to install.
On the other hand, depending on the security measures of the company, may be safe to type in credentials on a UAC type screen as this credentials can't be carried over to other operations. At the same time, security measures may help to track or protect from the abuse of that credentials.
What it should be forbidden is to open a CMD, POWERSHELL or other shell such as File Explorer or Edge/IE where the admin permission can be carried over for any operation running on that shell. In case needed, IT should keep in remote session as witness of what the user completes, and ensure that the shell windows are closed (sometimes pushing a forced reboot remotely)
Hope this helps with your query,
-----------
--If the reply is helpful, please Upvote and Accept as answer--